[Pkg-shadow-devel] Bug triage

Alexander Gattin arg@online.com.ua
Sun, 9 Jan 2005 03:15:36 +0200 

On Fri, Jan 07, 2005 at 05:25:53PM +0100, Luk Claes wrote:
> Can at least these bugs be closed or do they need some more investigation?

Some may be closed (IMHO). For example, these ones:
> #253297: login on tty hangs before asking for password if using issue file
> #69090: shell variables in su/sudo

They look like what we here in Ukraine call
"underground knocking". They are strange and not
reproducible, as far as I see. At least, I couldn't
reproduce any of them myself and there's no further
original submitters' activity about the reports.

> #262453: login: su, sudo: Local security hole -- arbitrary character
> injection
> #262455: login: su, sudo, super: Local security hole -- arbitrary
> character injection

These two are merged, and I don't know how they
currently proceed, in kernel or otherwise. Seems that
nothing has changed there, at least PoC works...

Maybe it's best to leave them open until a solution
appears, just for people to know about things like
these.

BTW, I think, a solution is possible, in a form of a
kernel patch (a la grsec2, which I myself use), and it
may, for example, involve restricting TIOCSTI on FDs
that were inherited after setuid(), or blocking TIOCSTI
when FD is used by another uid or smth. similar, maybe
on a configurable basis.

> Normal
> #60641: login: The FAIL_DELAY variable doesn't seem to work.

This is due to "collision" with PAM's delay and because
this behaviour is badly documented.
I think that something like the following comment
should be in /etc/login.defs:

# Delay in seconds before being allowed another attempt after a login failure
FAIL_DELAY		3
# When login uses pam_unix without "nodelay" option (most typical situation),
# actual delay is MAX(FAIL_DELAY, 2 seconds).
# Moreover, PAM randomizes each individual delay by +-25%

> #63778: Initial Install dpkg-reconfigure not accepting root password
> #71027: usermod infinite recursion
> #89523: passwd changes config NIS

I didn't have a look at these yet...

More funny are the bugs like the following one:
     * #276419: su appends the positional args to the command line
       Package: login; Severity: important; Reported by: "Helmut
       Waitzmann" (Debian Bug Tracking System)
       <Helmut.Waitzmann.nospam@web.de>; 86 days old.

This behavior is broken only in Debian, but su from
upstream uses another syntax (su [-] [<username> [<ARGS>]],
i.e. there's no [OPTS] and getopt, BTW).
This mean that Helmut Waitzmann's example won't work on
either. ;)

I see that Debian's run_shell is what is broken.

Also, please note this bug:
     * #95213: login: setting of envvars fails from (exec) login: prompt
       Package: login; Reported by: Jeff Sheinberg <jeff@bsrd.net>; 3
       years and 258 days old.

> Here is what the login(1) man page says about specifying envvars at
> the "login:" prompt,
> 
>        When invoked from the login: prompt, the  user  may  enter
>        environmental  variables  after the username.  These vari-
>        ables are entered in the form NAME=VALUE.  Not  all  vari-
>        ables  may  be  set in the fashion, notably PATH, HOME and
>        SHELL.

This doesn't work because login is typically called by
*getty and *getty provides "login:" prompt, but *getty
doesn't split username/arg1/arg2 into argv array.

Similarly, login itself (when being run from root
shell) doesn't make the split. Maybe related developers
took a bad habit from *getty team? :)

Will we fix this?
-- 
WBR,
Alexander